Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Table	of	Contents	
	
	
Editor’s	Comments,	pages	i-xv	
	
M	Gill	and	C	Howell,	“Single	Service	or	Bundle:		Practitioner	Pers...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
i	
	
Editor’s	Comments	
	
				Welcome	to	volume	8,	issue	2	of	the	Jour...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
ii	
*****	
	
Defeating	Biometrics	
	
					Researchers	at	the	Universit...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
iii	
				“Lifting”	these	kind	of	pressure-sensitive	adhesive	holograms...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
iv	
				It	is	difficult	to	believe	that	product	counterfeiters	would	h...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
v	
*****	
Gambling	Cheats	
	
				Here	is	a	really	interesting	website	...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
vi	
	
				As	countermeasures	to	art	and	artifact	forgery,	Charney	reco...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
vii	
	
				Of	the	5	fastest	growing	security	companies,	3	primarily	wo...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
viii	
	
	
				There	have	been	numerous	other	accidents	and	mishandling...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
ix	
	
The	Prison	Problem	
	
				It	is	widely	believed	that	the	reason	...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
x	
Scandinavia	
	
				According	to	the	Independent	(UK)	newspaper,	Nor...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
xi	
	
				Josh	Noel	in	a	June	19,	2015	article	in	the	Chicago	Tribune	...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
xii	
	
*****	
	
Fly	the	Friendly	Skies	
	
				According	to	the	Chicago...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
xiii	
and	to	focus	on	future	performance,	rather	than	obsessing	about	...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
xiv	
				If	you	think	you	would	be	interested	in	serving	as	an	anonymo...
Journal	of	Physical	Security	8(2),	i-xv	(2015)	
	
	
xv	
The	Study	of	Stupid	
	
				Research	on	stupidity	may	have	some	les...
Journal	of	Physical	Security	8(2),	1-14	(2015)
1
	
Single	Service	or	Bundle:		
Practitioner	Perspectives	on	What	Makes	the...
Journal	of	Physical	Security	8(2),	1-14	(2015)
2
				In	reality,	there	are	a	variety	of	ways	of	classifying	services	(see	...
Journal	of	Physical	Security	8(2),	1-14	(2015)
3
security.		A	snowball	sampling	strategy	was	used.		This	involves	using	co...
Journal	of	Physical	Security	8(2),	1-14	(2015)
4
fact	 it	 is	 best	 described	 as	 ‘bundled	 security’.	 	 Indeed,	 it	 w...
Journal	of	Physical	Security	8(2),	1-14	(2015)
5
Sometimes	 (we)	 bundle	 security	 with	 facilities	 management,	 securit...
Journal	of	Physical	Security	8(2),	1-14	(2015)
6
especially	 important.	 Many	 lamented	 the	 growing	 power	 of	 procurem...
Journal	of	Physical	Security	8(2),	1-14	(2015)
7
company	and	by	the	service,	often	the	management,	not	being	‘diluted’	by	...
Journal	of	Physical	Security	8(2),	1-14	(2015)
8
of	multi	services,	there	was	a	tendency	to	subcontract	some	services,	and...
Journal	of	Physical	Security	8(2),	1-14	(2015)
9
Suppliers	 in	 particular	 felt	 the	 benefits	 of	 co-operation	 implici...
Journal	of	Physical	Security	8(2),	1-14	(2015)
10
and	whether	the	focus	was	primarily	on	delivering	an	excellent	service	o...
Journal	of	Physical	Security	8(2),	1-14	(2015)
11
security	 is	 provided.	 	 The	 evidence	 from	 this	 study	 highlights	...
Journal	of	Physical	Security	8(2),	1-14	(2015)
12
Hassanain,	M.	and	Al-Saadi,	S.	(2005)	‘A	Framework	Model	for	Outsourcing...
Journal	of	Physical	Security	8(2),	1-14	(2015)
13
Whitaker,	J.,	Mithas,	S.	and	Krishnan,	M.	(2010)	‘Organizational	Learnin...
Journal	of	Physical	Security	8(2),	1-14	(2015)
14
the	second	edition	of	the	'Handbook'	of	Security'	which	was	published	in...
Journal	of	Physical	Security	8(2),	15-36	(2015)
15
How	Social	Media	is	Transforming	
Crisis	Management	and	Business	Contin...
Journal	of	Physical	Security	8(2),	15-36	(2015)
16
Abstract	
				The	 purpose	 of	 this	 paper	 is	 to	 investigate	 socia...
Journal	of	Physical	Security	8(2),	15-36	(2015)
17
				The	quantitative	section	of	this	paper	summarizes	the	depth	of	this...
Journal	of	Physical	Security	8(2),	15-36	(2015)
18
stakeholders	engaged,	and	making	critical	documents	more	accessible.		O...
Journal	of	Physical	Security	8(2),	15-36	(2015)
19
technology	and	application;		(2)	Developing	strategy,	policy,	and	proce...
Journal	of	Physical	Security	8(2),	15-36	(2015)
20
professional	security	managers	and	leaders	who	have	the	technical	know-...
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Journal of Physical Security 8(2)
Upcoming SlideShare
Loading in …5
×

Journal of Physical Security 8(2)

660 views

Published on

This is the November 2015 issue of the peer reviewed Journal of Physical Security. In addition to the usual editor’s rants about security (and other things), this issue has research papers on single service vs. bundled security, and on social media impacts on emergency response and business continuity.

There are also 4 viewpoint papers. These include a review of the new ASIS International Risk Assessment Standard, an essay on why you should hate security, an editorial on the storage of high-level nuclear waste, and what the Internet of Things and a new IEEE standard for wireless privacy and security may mean for physical security.

Published in: Engineering
  • Be the first to comment

Journal of Physical Security 8(2)

  1. 1. Table of Contents Editor’s Comments, pages i-xv M Gill and C Howell, “Single Service or Bundle: Practitioner Perspectives on What Makes the Best Security”, pages 1-14 GD Curry, JJ Leflar, M Glasser, R Loyear, B Grey, T Jordan, L Ong, W Preining, and JM Sobron, “How Social Media is Transforming Crisis Management and Business Continuity”, pages 15-36 RG Johnston, “The New ASIS Standard on Risk Assessment”, pages 37-38 S Hunt, “Why I Hate Security”, pages 39-41 Albuquerque Journal, “WIPP May be the Best Place for Weapons-Grade Waste”, pages 42-43 L Coney, “The IoT and the Ability to Defend Against the Silent Intruder”, pages 42-53
  2. 2. Journal of Physical Security 8(2), i-xv (2015) i Editor’s Comments Welcome to volume 8, issue 2 of the Journal of Physical Security (JPS). In addition to the usual editor’s rants about security (and other things) that appear immediately below, this issue has research papers on single service vs. bundled security, and on social media impacts on emergency response and business continuity. There are also 4 viewpoint papers. These include a review of the new ASIS International Risk Assessment Standard, an essay on why you should hate security, an editorial on the storage of high-level nuclear waste, and what the Internet of Things and a new IEEE standard for wireless privacy and security may mean for physical security professionals. Papers are peer reviewed unless otherwise noted. Past issues of JPS are available at http://jps.rbsekurity.com, and you can also sign up there to be notified by email when a new issue becomes available. JPS is hosted by Right Brain Sekurity (RBS) as a free public service. RBS (http://rbsekurity.com) is a small company devoted to physical security consulting, vulnerability assessments, and R&D. As usual, the views expressed in these papers and the editor’s comments are those of the author(s) and should not necessarily be ascribed to their home institution(s) or to Right Brain Sekurity. ***** Germy Biometrics Every human walks around surrounded by a cloud of millions of microbes that represent a unique “fingerprint” that can potentially be used to identify or verify a person’s identity, even after he or she has left the room. For information, see: http://www.theatlantic.com/health/archive/2015/09/inside-the-germ-cloud/406591/ ***** Be Still My Heart Bionym has developed a wristband that uses an electrocardiogram (EKG) sensor to identify the unique cardiac rhythm of the wearer. A Bluetooth or NFC connection is used to, for example, use the biometric to log onto a computer. For more information, see https://www.washingtonpost.com/news/innovations/wp/2014/11/21/the-heartbeat-vs- the-fingerprint-in-the-battle-for-biometric-authentication/
  3. 3. Journal of Physical Security 8(2), i-xv (2015) ii ***** Defeating Biometrics Researchers at the University of Alabama at Birmingham have demonstrated how to spoof voice-based user authentication software with electronic voice impersonation. See http://www.uab.edu/news/innovation/item/6532-uab-research-finds-automated-voice- imitation-can-fool-humans-and-machines. (Thanks to Indir Jaganjac for pointing out this work.) Most biometrics can be fairly easily counterfeited—and it would be surprising if the Microbial and Heartbeat Biometrics discussed above were any different. What is often overlooked is that most biometric hardware is also vulnerable to simple physical/ electronic spoofing, such as man-in-the-middle attacks, not just counterfeiting or copying of the biometric signature. These MiM attacks can be done very quickly at the factory, vendor, during shipment, on the loading dock, or before or after installation. It can be quite difficult to detect such attacks—examining software or checking if the device operates normally is of little value in determining if it has been compromised. There needs to be a secure chain of custody right from the factory, effective tamper- detection built into the biometric devices, and independent and imaginative vulnerability assessments conducted. All of these things are almost universally lacking for biometrics devices—indeed, for almost any kind of security device. ***** Piss and Vinegar New research suggests that people are better liars when they have a full bladder. It is not immediately clear how to apply this to security. For more information, see: https://www.newscientist.com/article/dn28199-the-lies-we-tell-are-more-convincing- when-we-need-to-pee/ ***** MLB Authentication Major League Baseball (MLB) has an authenticity program for sports memorabilia. Official authenticators are on hand for every MLB game. Their job is to try to maintain a visual chain-of-custody on game-day items, such as a baseball involved in a record- breaking play, that are of interest to sports memorabilia collectors. The authenticators attach what MLB calls a “tamper-resistant” authentication hologram—though it isn’t particularly tamper-resistant—and assign the item a unique ID number. (Sometimes these tags are called “tamper-proof”, which is even worse terminology.)
  4. 4. Journal of Physical Security 8(2), i-xv (2015) iii “Lifting” these kind of pressure-sensitive adhesive holograms, i.e., moving the sticker from one item to another without leaving evidence is usually not very difficult to accomplish, especially in the first 48 hours before the pressure-sensitive adhesive has fully set up. Moreover, the authenticators are often attaching the stickers to dirty baseballs, dusty bats, and sweaty jerseys that are less than ideal adhesion surfaces. Lifting, however, isn’t of prime interest to counterfeiters because it leaves them with an authentic item that lacks a hologram. What is more useful for the bad guys is to counterfeit the hologram, or merely mimic it, which is even easier. The counterfeiting or mimicking of embossed, metalized holograms is especially straightforward. Typically the holographic sticker only has to fool a visual inspection by a non-expert. It is thus mostly Security Theater. The true security in the scheme—if indeed there is any—is in the visual chain-of-custody during the ballgame, and the unique ID that can theoretically be used to verify authenticity. It is not clear how secure the MLB chain-of-custody is after the game, or what kind of insider threat mitigation is in place for authenticators and item handlers. It is also not clear if the MLB call-back scheme to check on the unique ID number is effective. Virtual Numeric Tokens can indeed be a powerful tool for anti-counterfeiting, but only if implemented intelligently. Otherwise, this, too may just be Security Theater—like so many other approaches to product counterfeiting. You can see an interesting video at http://mlb.mlb.com/mlb/authentication/ that explains the MLB authentication process. Note in the video that one of the authenticators leaves his roll of “tamper-resistant” holograms briefly unattended during the ballgame. So much for a secure chain-of-custody! To MLB’s credit, they at least take the visual chain-of-custody issue seriously during the game. On October 13, 2015, the Cubs’ Kyle Schwarber hit a towering home run at Wrigley Field during the National League Division Series (NLDS) that went over the top of the main video board but then disappeared. Later that night, a ball was spotted sitting at the top of the video score board. This ball was not eligible to become an official MLB souvenir, however, because it had left the sight of the MLB authenticator. This was the case even though the ball had the appropriate NLDS printing that differs from regular season and practice balls, and almost certainly had to be Schwarber’s home run ball. ***** Anti-Counterfeiting? NEC is reportedly developing a product anti-counterfeiting technology that uses a smartphone to check unique surface markings on high-end products. See http://blogs.wsj.com/digits/2014/11/12/nec-smartphone-tech-can-spot-fake-bling/
  5. 5. Journal of Physical Security 8(2), i-xv (2015) iv It is difficult to believe that product counterfeiters would have any problem duplicating surface patterns or morphology, as this is typically quite easy to do, even down to the microscopic level. If counterfeiters knew the location of where the checking was to be done—as we would have to assume they would—the task of duplicating a surface pattern should be relatively simple. But, like a lot of anti-counterfeiting technology, it probably will never be subjected to a serious vulnerability assessment that investigates subtle (as opposed to knucklehead) attacks. ***** Security Theater The TV show “Adam Ruins Everything” on truTV takes on examples of Security Theater in a very entertaining but totally valid way. See the Security Theater episode at: http://www.trutv.com/shows/adam-ruins-everything/blog/adams-sources/adam- ruins-security.html ***** Chip and Pin The new “smart” credit cards are out with the embedded microchip. These cards are complaint with the EMV Standard, long in use in Europe. (“EMV” stands for Europay, MasterCard, and Visa). These smart cards should reduce credit card fraud. When they were introduced in France, Canada, and the UK, there was a drop of more than 50% in lost or stolen credit card fraud. We can expect credit card fraud to now move more onto the Internet. In the United States, we will be mostly using a “Chip and Signature” approach, where a signature is used instead of the more secure personal identification number (PIN). Credit card companies fear Americans would be too annoyed or forgetful if they had to produce a PIN, as is often done in Europe (or in the U.S. for debit cards). Signing your signature at the point of sale rather than using a PIN is largely Security Theater, as pointed out in the TV show “Adam Ruins Everything” discussed above. The EMV standard is a big deal for small businesses because—starting last month—if your business accepts and processes a counterfeit EMV card transaction on an old, non- EMV terminal, the liability for the transaction is yours—no longer the credit card company’s. Only 59% of US retail stores are expected to be EMV-compliant by the end of this year, and only 1 out of 3 small businesses (according to a Javelin study) is even aware of this switch in liability.
  6. 6. Journal of Physical Security 8(2), i-xv (2015) v ***** Gambling Cheats Here is a really interesting website about 10 individuals who “cheated” casinos: http://listverse.com/2010/01/24/10-gamblers-who-beat-the-casino/ Not everything these people did was necessarily illegal. Perhaps the most intriguing character is Tommy Glenn Carmichael who came up with numerous, clever inventions to beat slot machines. He dutifully paid income taxes on his illicit winnings, however. Carmichael went on to become a consultant for casinos and gambling security. Also, did you know that a century ago, many of the companies that made playing cards sold a variety of different kinds of “advantage tools” which allowed card players to cheat? These included “card pricks”, “poker rings”, “punches”, and “peggers” to mark cards with a very subtle indentation. There were also “holdout machines” that let you keep a card out of circulation—under a table or up your sleeve—until you needed it in the game. See http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.134.1119&rep=rep1&type=pdf ***** Art and Anarchy Two books worth reading: 1. The Art of Forgery by Noah Charney. This is a breezy and highly entertaining tour through the history of art forgery (and other kinds of forgery). Charney convincingly makes the point that money is not the prime motivator for most art forgers, at least initially: “Testing and demonstrating one’s genius and ability, revenge against the art establishment that has slighted you, and acclaim are more common reasons forgers initially try their hand.” In art forgery, as in a lot of security attacks, disgruntlement is a huge motivator for insider attackers. My favorite forgery discussed in the book involves the theft of Matisse’s Odalisque in Red Trousers from the Caracas Museum of Contemporary Art in Venezuela. An FBI sting operation recovered the stolen painting in 2014. The burglars had replaced the original painting with a somewhat amateurish forgery. (Charney points out that this MO—stealing the original and replacing it with a fake—is actually fairly rare in the world of art theft.) It took 2 years before anybody even noticed the switch. The fake had fooled all the curators, staff, art experts, guards, and visitors at the museum for two years. The forgery was in place and unrecognized in September 2000 when a proud President Hugo Chavez was photographed standing in front of what was supposed to be the museum’s most prestigious piece. A total of 14 other works were later found to be missing from the museum.
  7. 7. Journal of Physical Security 8(2), i-xv (2015) vi As countermeasures to art and artifact forgery, Charney recommends independent evaluations devoid of conflicts of interests—just as is needed for other kinds of security such as risk assessments or vulnerability assessments. Auction houses, museums, art connoisseurs, and “discoverers” who have an economic, reputational, or ego interest in the found art or artifact being authentic are simply too easy to fool. Charney also believes the public and news media should stop making Robinhood-like heroes of art forgers and art thieves. He calls for laws that prevent forgers from benefiting economically from any sale of art or artifacts after conviction. He would like to see more careful analysis of provenance evidence/documents, more skepticism, and more scientific forensics where practical. 2. Immigrants Against the State by Kenyon Zimmer. This is a scholarly discussion of American anarchists in the late 19th and early 20th centuries, especially Italian and Yiddish- speaking immigrants who were major players in the anarchist movement. People tend to forget today that the anarchist movement was a source of very serious terrorist attacks in the United States and Europe, including bombings, assassinations, bank robberies, and IEDs mailed to prominent people and government leaders. U.S. President William McKinley was assassinated in 1901 by an anarchist sympathizer. American anarchists had complicated, sporadic connections with socialists groups and various labor movements and unions, but tended to have a philosophy of their own. This often involved rejecting some or all of government, tyranny, regulations, capitalism, exploitation of the working class, war, misogyny, and religion. The majority of anarchists were non-violent; those that were violent tended to think of their terrorism as legitimate political or social violence they called “propaganda of the deed”. Anarchist violence largely ran out of steam in the 1920s on its own. The repressive and extreme measures taken by governments against anarchists—think Patriot Act and McCarthyism only a lot worse—were mostly ineffective. The anarchism movement itself gradually gave way to other methods of trying to deal with perceived social injustice such as labor movements, labor and anti-trust legislation, social welfare programs, the progressive movement, socialism, and communism, as well as various feminist, suffrage, and civil rights movements. Many immigrants also became somewhat better integrated into American society. Anarchists are still around today, of course, but they are almost entirely non-violent and are not dominated by immigrants. ***** Growth Industry According to the November 6, 2015 issue of The Week, private security was a $202 billion industry in 2013, and is project to be at $282 billion by 2020. This is compared to a mere $52 billion in 1990.
  8. 8. Journal of Physical Security 8(2), i-xv (2015) vii Of the 5 fastest growing security companies, 3 primarily work in the area of physical security, rather than cyber security and had growth rates well in excess of 1000% from 2011 to 2014. ***** Run Away from Danger? The National Nuclear Security Agency (NNSA) has been criticized for issuing a name- brand solicitation in February 2015 for 5 top-of-the-line Woodway treadmills. (See https://www.fedconnect.net/FedConnect/?doc=DE-SOL-0008095&agency=DOE.) The model NNSA is seeking costs over $10,000, with upgrades adding up to $3,900 per unit. NNSA plans to “utilize the treadmills to qualify Federal Agents on the running requirements established by the NNSA …” Good quality treadmills of the kind used in your neighborhood fitness center can be had for around $4,000. Presumably, NNSA personnel need to be fleet of foot to keep up with elderly, pacifist nuns who penetrate deeply into nuclear facilities. For an interesting take on this, see http://www.newyorker.com/magazine/2015/03/09/break-in-at-y-12. ***** I Hate When That Happens Almost 50 years after a horrendous nuclear accident in Spain, the cleanup is not complete. On January 17, 1966, a B-52 bomber and a KC-135 refueling plane crashed into each other mid-air above the small town of Palomares in Spain. A total of 7 crewmembers died, and 4 nuclear weapons fell to Earth. One fell into the Mediterranean and was eventually recovered after considerable effort. Two of the three bombs that hit the ground burst open when their conventional high-explosives went off, and this caused the release of plutonium into the surrounding area. The casings of two of the recovered nuclear bombs involved in the Palomares incident are on display at the fascinating National Museum of Nuclear Science and History in Albuquerque. U.S. Secretary of State John Kerry recently signed a new agreement in Spain, pledging continued U.S. assistance with the cleanup of contaminated soil from the Palomares accident. The plutonium-contaminated soil may be shipped to the United States for permanent storage. See The Day We Lost the H-Bomb by Barbara Moran (2009) as well as http://www.cnn.com/2015/10/20/europe/spain-us-palomares-nuclear-accident- cleanup/?iid=ob_article_footer_expansion&iref=obnetwork
  9. 9. Journal of Physical Security 8(2), i-xv (2015) viii There have been numerous other accidents and mishandlings of nuclear weapons over the years—many that are true head shakers and far too ridiculous to put into the plot of a bad paperback spy novel. There will be more amazing nuclear bungling incidents in the future. ***** Culture of Denial A new study by think tank Chatham House concludes that nuclear power plants are extremely vulnerable to cyber attacks and that a “culture of denial” is getting in the way of good cyber security. See http://www.ft.com/cms/s/0/b5f0df54-6aa1-11e5-aca9- d87542bf8673.html#axzz3pVEmcPiZ ***** The Plastic Internet of Things A new Barbie doll, named “Hello Barbie” is now available. A joint venture between Mattel and ToyTalk, Hello Barbie is a wi-fi connected playmate that can carry on a conversation with the doll’s owner. When children talk to Hello Barbie, there conversations are recorded and sent back to ToyTalk’s servers so that Barbie can “remember” details of the child’s likes. Privacy advocates have called this feature “creepy”. There are supposedly some strong parental controls built in. For more information, and to read various views about Hello Barbie, see: http://pixelkin.org/2015/09/11/why-hello-barbie-is-not-as-creepy-as-she-sounds/ and http://www.dallasnews.com/business/retail/20150328-hello-barbies-critics-using- mattel-doll-to-wage-privacy-fight.ece ***** Secret Computing: Beyond Playing Video Games at Work The IEEE Spectrum has an excellent article on concepts for keeping data encrypted during computations and database processing. This can greatly increase the security and privacy of the data. See “How to Compute with Data You Can’t See”, http://spectrum.ieee.org/computing/software/how-to-compute-with-data-you-cant-see *****
  10. 10. Journal of Physical Security 8(2), i-xv (2015) ix The Prison Problem It is widely believed that the reason there are so many Americans in prison is due to drug arrests. David Brooks in the New York Times questions this assumption. He points out that only 17% of inmates in state prisons are there for drug related offenses, with the percentage continuing to decrease. Mandatory sentences are also not the cause of having so many people in prison. According the Brooks, the reason we have so many prison inmates may primarily a combination of prosecutors wanting to seem tough on crime by avoiding plea bargaining, and the fact that many inmates with mental illness who would have been sent to mental institutions in the past are now warehoused in prison. To read the editorial, see http://www.nytimes.com/2015/09/29/opinion/david-brooks-the-prison- problem.html?_r=0. ***** Nobel Peace Prize? According to BleacherReport.com, the National Football League (NFL) recently went an entire calendar month (September) without any of its players getting arrested. This is the first time that has happened since 2009. ***** We Are Safer According to researcher David Finkelhor at the University of New Hampshire, the physical abuse, sexual abuse, and neglect of children declined by 55, 64, and 13 percent respectively, between 1992 and 2011. Abduction by strangers is also sharply down. The Centers for Disease Control (CDC) says that the death rate for children 12 and under declined by 43% in the last decade. See http://www.unh.edu/ccrc/pdf/_Updated%20trends%202013_dc-df-ks-df.pdf and http://nymag.com/scienceofus/2015/03/we-live-in-an-age-of-irrational-parenting.html An under-appreciated statistic is that, according to the FBI, the U.S. homicide rate in 2013 (the most recent year for which statistics are available) was 4.5 per 100,000 people. This is approximately the same as in 1962 and less than half the rate of 1993. This is among the lowest rates since the end of World War II. *****
  11. 11. Journal of Physical Security 8(2), i-xv (2015) x Scandinavia According to the Independent (UK) newspaper, Norwegian police fired their guns only twice in 2014, injuring or killing nobody. In Norway, police are usually unarmed and only carry guns in special situations. On the other hand, Sweden has the second highest reported rate of rapes in the world, about 3 times higher than the United States. Some of this is due to changes in how rape statistics are reported there. See https://en.wikipedia.org/wiki/Rape_in_Sweden ***** Sis-Boom-Bah The October 18, 2015 issue of The Chronicle of Higher Education has an excellent article on the history, challenges, and controversies of college and university policing. See Scott Carlson, “Campus Cops’ Contested Role”, pages A18-A21. In the same issue is a story about a study of college exam cheating. The investigators recommend randomly assigning seats to students during exams as a countermeasure to copying. See Kate Stoltzfus, “To Stop Exam Cheats, Economists Say, Try Assigning Seats”, page A15. [Incidentally, the classic college cheerleading chant “sis-boom-bah” was around in 1867, and may go back to 1858 or earlier. It is meant to mimic a skyrocket: “sis” for the launch, “boom” for the explosion, and “(b)ah” for the crowd reaction. For more on the history of this cheerleading chant, see http://esnpc.blogspot.com/2014/05/skyrockets-transatlantic- cable-and-pre.html.] ***** TSA Follies USA Today reports that the Transportation Security Administration (TSA) has paid about $3 million over 5 years for claims that airport security screeners broke, lost, or stole luggage and/or its contents. The TSA settled by making payments in about one-third of the 50,000 claims filed from 2010 to 2014. The number of claims filed were down about 35% from 2010 to 2014. Since 2003, the TSA has fired more than 500 TSA officers for theft. The story can be found at http://www.usatoday.com/story/news/2015/07/02/tsa- damage-tops-3m/29353815/ Bruce Schneier asks in a recent editorial why we are spending $7 billion dollars on ineffective or unnecessary efforts by the TSA: http://www.cnn.com/2015/06/05/opinions/schneier-tsa-security/
  12. 12. Journal of Physical Security 8(2), i-xv (2015) xi Josh Noel in a June 19, 2015 article in the Chicago Tribune notes these TSA failings: • More than 1,500 TSA badges used by TSA employees to access airport security areas are lost, missing, or stolen. • The TSA failed to identify 73 airport workers with potential terrorist links. • In a recent test, DHS agents were able to get banned items past TSA airport screening 95% of the time. Part of what I think is the problem with the TSA—a problem shared by many other organizations, including NNSA, DOE, DoD, IAEA, and NRC—is a failure to perform frequent imaginative, independent vulnerability assessments (VAs) to find security weaknesses. It is common to confuse VAs with threat assessments, risk assessments, design basis threat, security surveys, security audits, fault or event tree analysis, data analytics, “red teaming”, and penetration testing. While these things are definitely worth doing, they are not a good substitute for a holistic, imaginative VA done by people thinking like the bad guys. If you want to predict how the bad guys might attack, you need to think like they do. Bad guys don’t do threat assessments, risk assessments, design basis threat, etc. They do VAs. For more discussion of the myths and misconceptions surrounding vulnerabilities and VAs, see: “Vulnerability Assessment Myths”, Journal of Physical Security 7(1), 31-38 (2014) and “Why Security Fails”, Journal of Physical Security 8(1), 37-39 (2015), both at http://jps.rbsekurity.com. Also see, “The Fear of NORQ”, Homeland Security Today 11(4), 39-41 (2014), http://www.nxtbook.com/nxtbooks/kmd/hst_20140607/#/40. ***** 3-D Printing and Keys A group of lock-picking and security hobbyists demonstrated how to duplicate a lock key from an online picture of the key. Anyone with a 3-D printer can use the resulting CAD files to make a copy. The keys in question were the master keys that TSA uses to open their “approved” luggage locks—which are not high security locks. In one sense, this is nothing new. Talented locksmiths have supposedly been able to read the pattern of cuts in a key at a distance when the key is flashed in a parking lot, then make a duplicate key without ever having handled the key. The advent of 3D printing just makes this easier. Bottom line: do not show your keys in public or let them get photographed! For more information on the 3-D printer hack see: http://www.wired.com/2015/09/lockpickers-3-d-print-tsa-luggage-keys-leaked-photos/
  13. 13. Journal of Physical Security 8(2), i-xv (2015) xii ***** Fly the Friendly Skies According to the Chicago Tribune, 4/20/2015 on page 13: United Airlines stopped a prominent security researcher, Chris Roberts, from boarding one of its planes after he had posted a suggestion online that the airline’s onboard system could be hacked. He was on the way to speak at a major security conference. This is a good example of Feynman’s Maxim: An organization will fear and despise loyal vulnerability assessors and others who point out vulnerabilities or suggest security changes more than malicious adversaries. The maxim is named for the physicist Richard Feynman. During the Manhattan Project, when he pointed out physical security vulnerabilities, he was banned from the facility, rather than having the vulnerabilities dealt with (which would have been easy to do). ***** Bully For You A new study suggests that abusive bosses often bring their abusive behavior into the workplace because of problems at home. The study also found that supervisors and mangers are more likely to engage in (non-physical) abuse of employees if they felt their organization would let them get away with it. (Many do.) While only 14% of U.S. employees report being the victim of a (non-physically) abusive boss, the security risks that abusive bosses create are substantial for the insider threat— not to mention the impact on employee performance, productivity, morale, turnover, and recruitment. An organization’s reputation can also be harmed. To read about the study, see http://newsroom.niu.edu/2015/09/24/bosses-unhappy-at- home-wreak-havoc-at-work/ ***** Performance Anxiety The large consulting firm Accenture is eliminating annual performance reviews and rankings for all its 330,000 employees. The company believes the annual review process is too time-consuming and expensive, and the benefits are minimal. Accenture will now do more timely feedback from managers on an ad hoc basis. Microsoft did something similar in 2013. Instead of annual performance reviews, Deloitte now encourages team leaders to check in with each team member once a week,
  14. 14. Journal of Physical Security 8(2), i-xv (2015) xiii and to focus on future performance, rather than obsessing about issues from the past. Other companies now hold quarterly or monthly reviews or conversations, rather than annual ones. Multiple studies (and common experience) have shown that the traditional annual performance reviews often causes enormous amounts of employee annoyance, resentment, and disgruntlement. Supervisors and managers who write the reviews often have no idea what they are talking about or what their employees really do. Annual performance reviews can damage morale and aggravate the insider risk. They do not effectively motivate employees, but rather waste time, money, and energy. The year-long delay in feedback makes the review nearly useless as a metric and for improving employee performance. Vauhini Vara had an excellent article on this issue in the New Yorker. See http://www.newyorker.com/business/currency/the-push-against-performance-reviews ***** JPS Peer Review The Journal of Physical Security uses a blind peer review process. This means that the reviewer(s) are anonymous but the author(s) are not. Reviewer anonymity means that they can feel freer to offer commentary without issues of attribution. Some journals— though not many—use a double blind review process where both the author(s) and reviewer(s) are anonymous. One disadvantages to a double blind review process is that the reviewers can typically guess the authors’ identities from the references, acknowledgements, past work, or other hints in the paper. It can be very difficult to remove such clues. Moreover, the identity and affiliation of the author(s) is often useful to single-blind reviewers in identifying any conflicts of interest, and determining if the author(s) have sufficient resources and approvals to conduct their research and analysis. Of course, there are disadvantages to single-blind reviews, too. Reviewers can hide behind their anonymity when offering lazy or unnecessarily snarky reviews. Conflicts of interest on the part of the reviewers are not publicly obvious. To a considerable extent, however, a good editor can at least partially mitigate these disadvantages. JPS usually has 2 anonymous reviewers for Research Papers, and 0, 1, or 2 reviewers for Viewpoint Papers, depending on the topic and content. Reviewers are not compensated for their efforts. As editor, I have been very gratified by the careful thinking and hard work reviewers put into their reviews, and for their willingness to serve the physical security community without being able to receive any public recognition (or money!) in return. These are true security professionals.
  15. 15. Journal of Physical Security 8(2), i-xv (2015) xiv If you think you would be interested in serving as an anonymous reviewer, contact the editor at http://jps.rbsekurity.com. Be sure to indicate your credentials and area(s) of expertise. ***** The Limitations of Peer Review Actual product reviews on Amazon.com: This carbon monoxide detector saved my son’s life. I give it 4 out of 5 stars. Review of the movie, “Captain America: the First Avenger”: WE HAD BARBEQUE. We invited family and friends over to watch this on blu-ray. When it ended, they got up and left. 2 out of 5 stars. Review of the movie, “Rocky III”: ARE YOU KIDDING? I have colleagues who might read this so even if I did enjoy this film, I could not admit to it on this quasi-public site. I am in enough trouble just for responding. 1 out of 5 stars. Review of the movie, “Rise of the Planet of the Apes”: There is no way an orangutan can ride a horse without crushing it. 2 out of 5 stars. Review of Herman Melville’s novel, Moby Dick: A complete rip-off of the movie “Jaws”. 1 out of 5 stars. Review of Anna Karenina by Leo Tolstoy: Parts of the book were discussing political views nothing to do with Anna. It appeared there were many main characters not only Anna. 2 out of 5 stars. Review of the book, Where is Baby’s Belly Button: A Lift-the-Flap Book: This book is completely misleading. The entire plot revolves around finding Baby’s belly button; the title makes this much clear from the beginning. However, there is no mystery. There is no twist. Baby’s belly button is right where it’s suppose to be, on Baby’s stomach. Right where it clearly SHOWS you it is on the COVER OF THE BOOK. This plot is a complete mess as a result of it’s reliance on the mystery of where the belly button is; everything falls apart the second you realize that the belly button was in plain sight all along. There is no conflict, there is no character development, and there is scarcely any plot. Whoever wrote this book must have a serious error in judgment, because you would have to be an infant to not immediately understand where Baby’s belly button is. This is one of the worst pieces of literature I have ever read. 1 out of 5 stars. *****
  16. 16. Journal of Physical Security 8(2), i-xv (2015) xv The Study of Stupid Research on stupidity may have some lessons for security, as stupidity seems to be involved in a lot of security blunders. Interesting research of this type is discussed in the following article: Roberto A. Ferdman, Washington Post, October 19, 2015, http://www.washingtonpost.com/news/wonkblog/wp/2015/10/19/how-to-act-less- stupid-according-to-psychologists/. ***** Scary Lucy In 2009, a 400-pound bronze sculpture of actress Lucille Ball (1911-1989) was erected in a park in her hometown of Celoron, NY. The statue has been described as having zombie- like eyes with a deranged toothy grin, and is considered particularly scary at night. (You can see a photograph at http://www.washingtonpost.com/news/morning- mix/wp/2015/04/07/in-lucille-balls-hometown-scary-lucy-haunts-her-memory/) The statute will eventually reside in the National Comedy Center, though the sculptor has promised to redo it. ***** Glad You Warned Us! I know I have been traveling too much when I read the snack wrappers handed out on airplanes. The packet of “Honey Roasted Peanuts” you get on Southwest Airlines, which lists peanuts as the number one ingredient, warns us in small print on the back that the contents are “produced in a facility that processes peanuts…”. -- Roger Johnston Oswego, Illinois November, 2015
  17. 17. Journal of Physical Security 8(2), 1-14 (2015) 1 Single Service or Bundle: Practitioner Perspectives on What Makes the Best Security Martin Gill and Charlotte Howell Perpetuity Research & Consultancy International Ltd 11a High Street Tunbridge Wells, Kent, TN1 1UL United Kingdom Abstract The aim of this paper is to discuss the relative advantages and disadvantages of providing security services as either a single service or as part of a bundle. It is based on one-to-one interviews with 72 respondents, 44 from client organizations (and including security and facilities managers) and 28 suppliers (including representatives from security only providers and facilities management companies). While there are supporters of supplying security both as a single service and as part of a bundle, the arguments used to support each are based on experience and perception rather than evidence. This study is presented as a first step in identifying key issues that pertain to the deployment/integration of security alongside other facilities management services. There is a need for more evaluative research. Key words: security services, bundled services, client/supplier relationships Context It has long been recognized that there are different ways of outsourcing and a variety of frameworks are in evidence (McIvor, 2005; 2008; Varadarajan, 2009) for a variety of different facilities management services. The motive is often highlighted as an economic one although this is but one of many possibilities (see, McIvor, 2008; Shekar, 2008); much depends on the type of outsourcing model being discussed, and there are many. Willcocks et al. (2007; 2009) helpfully identify four options which they term sole supplier, prime contractor, best-of-breed, and panel. • Sole supplier: This is where all the services are supplied by a single supplier, sometimes considered to be Total Facilities Management (TFM). • Prime contractor: This is where one supplier is responsible for a contract but may subcontract where it lacks expertise. • Best-of-breed: This is where potentially a range of services are managed by the client. • Panel: This is where a preferred group of approved suppliers compete for contracts.
  18. 18. Journal of Physical Security 8(2), 1-14 (2015) 2 In reality, there are a variety of ways of classifying services (see also, BIFM, 2007; 2012), and since outsourcing is complex (see, Nordin, 2006), ‘ideal type’ models often disguise wide variations and overlaps in practice (see, Oshri et al., 2011; Willcocks et al., 2009b). A number of key points, though, are in evidence and are relevant to this paper. The first is that the decision on which model to choose rests with clients (see, Jain and Natarajan, 2011), and at least part of the influence on their decision will be their own capability for managing the different options (Willcocks and Lacity, 2011; 2012). The extent to which they understand the potential barriers to implementing their chosen strategy (if they have one) will have important implications for how successful it is likely to be (Nordin, 2006). A second issue is that single service provision is typically viewed as less complicated, and that the scope for outsourcing in some sort of bundled way comes with experience and requires greater expertise (BIFM, 2007; Willcocks et al., 2009), not least in turbulent environments (Momme and Hvolby, 2002). Third, the scope for moving to some type of bundled provision depends in part on expertise emerging amongst suppliers (Oshri et al., 2011; Feeny et al, 2005; Willcocks and Lacity, 2009). Fourth, there are a range of advantages and disadvantages of different models in different sectors, albeit that many of these are not tested by independent research (see, BIFM, 2007; Willcocks et al., 2007; Willcocks et al., 2009; Interserve and Sheffield Hallam University, 2012). Indeed, some evidence suggests that not only will the effects of outsourcing be different for different functions, but that there is a danger that internal skills and knowledge that are lost by outsourcing will need to be meditated by effective management strategies (Agndal and Nordin, 2009). Fifth, there is a lack of research on the pros and cons of different models in different facility management service areas. Both security management (Gill, 2014) and facilities management (Drion et al., 2012) are relatively new areas of study where the body of knowledge about what works and what doesn’t is still evolving. Indeed, despite research on the outsourcing of various areas of facilities management, such as business processing (Whitaker et al., 2010); engineering (Burdon and Bhalla, 2005); information services (Petry-Eberle and Bieg, 2009); and property management services (Yam, 2012), there has been little research on security services (but see, Hassanain and Al-Saadi, 2005). It is against this background that our research took place. The aim of this study was to identify practitioner perspectives on the relative merits of single service as opposed to bundling in one specific area that has received very little coverage in the facility management (FM) literature, that of security. The word ‘security’ in practice covers a wide variety of activities that often bear little relation to each other (for example locksmithing, security guarding, alarm installation). There is a tendency to discuss security in terms of personnel services (such as manned guarding and close protection) and technical services (such as alarms and CCTV), the approximate equivalent to soft and hard facilities management. (For a discussion of the security sector, see Gill, 2014.) The approach in this work was to identify and interview a wide range of individuals using the different models in practice to help understand the key issues involved in single service and bundling (these terms will be defined later in this paper) which involves
  19. 19. Journal of Physical Security 8(2), 1-14 (2015) 3 security. A snowball sampling strategy was used. This involves using contacts and word of mouth to identify relevant people to take part in the study. An advantage of this method is that it allows access to members of the population who may be difficult to identify and engage by other means. Moreover, it allows for potentially more valuable responses, as those taking part are more likely to be knowledgeable about the research. Indeed, one of the early findings was that knowledge about the benefits and drawbacks of providing single service or bundling security was not clear-cut. Against this, however, snowballing is a non- random form of research sampling and it is therefore unlikely that the sample is representative of the total population, which should be kept in mind. The interviews typically lasted thirty to sixty minutes, and semi-structured interview schedules were used. An advantage of a semi-structured schedule is that it gives the flexibility for interviewers to probe the issues raised. A total of 72 individuals took part in telephone interviews, mostly from the UK, but also from Australia (7), Canada (4), Europe (3) and a respondent working in the Middle East. Table 1 provides further information on the role of individuals taking part. Table 1: Breakdown of interviewees (n=72) Clearly, the sample was not intended to be representative, rather we sought to engage participants who were involved in different aspects of security—both single service and bundled—to better understand the pros and cons of different types of security service purchase and delivery. It provides a foundation on which further studies may build. Findings Thinking about terminology One of the early findings was that there remains widespread confusion in the terminology used (see, Varadarajan, 2009). This included what was meant by single service, since some referred to a type of security as single service (say manned guarding) while some companies offering a variety of different services (including personnel and technical) considered this a single service because it was all related to security, when in Interviewee Type N Clients (n=44) Security Managers 27 Facilities/Property Managers 14 Consultants 2 Procurement Specialists 1 Suppliers (n=28) Bundled service provision 10 Single service provision 9 Combination of bundled and single service provision 7 Advisory role 2
  20. 20. Journal of Physical Security 8(2), 1-14 (2015) 4 fact it is best described as ‘bundled security’. Indeed, it was possible to identify the following types of security delivery that do not fit easily into the four categories noted above: • in-house: security provided in-house • single service security: just one type of contract security provided • bundled security: different types of contract security provided • single service security supplied with a limited number of FM services • bundled security supplied with a limited number of FM services • single service security supplied with all other relevant FM services • bundled security supplied with all other relevant FM services • single service security supplied with a limited number of FM services with integration between them • bundled security provided with a limited number of FM services with integration between them • single service security supplied with all FM services with integration between them • bundled security provided with all FM services with integration between them This list reflects the somewhat complex array of arrangements that exist. Moreover, there was a belief that the further down the list one reads, the more complex the delivery. Just to add to this, sometimes there was a mixture of delivery approaches across sites or countries. In this short paper, it is not possible to examine the different risks and opportunities these arrangements present—a laudable aim though that would be. Rather, the focus here is to compare the relative merits of offering security on its own (whether single or a security bundle) compared to security combined with other FM services. The focus has been on other facility management services, but of course security is sometimes provided alongside an even broader range of services such as those focussed on safety and emergency management, such as managing natural disasters; this provides another potential field of enquiry. The case for bundling security There were three overarching reasons why clients and suppliers said they favored bundling. The first and most widely commented upon was that it offered cost savings for clients. There were a number of dimensions to the ways in which these could be achieved. Some noted there were lower overheads, which resulted from such factors as having to deal with fewer contracts (and under Total Facilities Management [TFM] or Integrated Facilities Management [IFM] models a single point of contact); less insurance and legal costs; having to manage fewer invoices and be involved with fewer accounts teams and such. Some argued that there was a need for less management and supervisory personnel in the contracted service, and others noted that as a consequence, there was less need for oversight in the client organization when services were managed collectively. Thus:
  21. 21. Journal of Physical Security 8(2), 1-14 (2015) 5 Sometimes (we) bundle security with facilities management, security and cleaning … That brings economies of scale … in the management, one account manager managing both. Senior Regional Facilities Manager, Property Management Straight away you will get economies of scale, you won’t be getting margin on margin or management on management. TFM Director, Facilities Management Reducing the number of contractors also meant that the profits each individual supplier had to make could be consolidated; a supplier involved in offering a range of services would be more amenable to reducing its profit margins in return for a larger slice of the available business. Some noted that in a bundle, one service might be charged out at cost in order to generate a profit in other areas, and at least one supplier had this under consideration. Manned guarding was seen as a prime contender here because the margins were so slight that some wondered whether there was a viable future for a single manned guarding service in the mass market in the absence of a change in buyers’ behavior. A second point, and one that implied cost savings but accrued other benefits was the opportunity that bundling provided for improved management practices. Some here pointed to the benefits of instilling a specific corporate style to the provision of services across sites, which becomes especially possible with one or fewer suppliers. In a different way, bundling was perceived as being good for facilitating cooperative working, and this had a number of dimensions. The opportunity to avoid the restrictions implicit in a silo mentality was considered important by providing a platform, via joint management, of encouraging service lines to work together where appropriate. There has been a major emphasis in recent times in various types of collaboration with a range of buzz words to depict various types of co-operation including integration (BSIA, 2007; De Toni and Nonino, 2009), convergence (Hunt, 2010; Willison et al., 2012), and partnerships (Prenzler and Sarre, 2012; Yang and Wei, 2012) to name but a few. Amongst both buyers and suppliers, there was widespread agreement that there was confusion about what these terms meant, but for the purposes of this study, the fact that some type of collaboration was typically a good thing as far as effective security was concerned generated support for bundling. On the people side, integration typically involved multi skilling individuals, or at least in engaging them with a more varied set of duties. This was seen as an opportunity to build teams with different service lines supporting each other. It provided more varied work for staff, enhanced their commitment and reduced turnover. This applied to management, too, in being able to take on new opportunities with greater responsibility than might otherwise exist. And on the technology side, a number of suppliers (in particular) identified the potential for systems to provide for better integration, and specifically for security systems to enable the better functioning of other systems, more cost effectively and with more benefits than if the services were provided separately. Moreover, it was argued that the integration of technological systems, security with non-security, and security technology with security people facilitated innovation. For suppliers, this was
  22. 22. Journal of Physical Security 8(2), 1-14 (2015) 6 especially important. Many lamented the growing power of procurement within organizations, which was seen to drive prices and profits down. Some felt that the only way margins could be protected was by being afforded the opportunity to combine technology with manpower. (There are) economies of scale in teams helping out in other areas, multi – cross skilling, if done right, with the right training and skills (means you can) utilize labor better. Security and Operations Manager, Event Centre Cleaners can be on the look out for any problems and help reduce crime by noticing who should not be in places … On the security side, guards pick up papers as they walk around. General Manager, Security, Shopping Centres There was a third major influence behind the move to bundling, and that was the growing expertise of both clients to understand their needs and develop a bundled response, and of suppliers to deliver a range of services under one umbrella. Indeed, some clients noted that they had been drawn to bundled services by developments in the supplier market, and interestingly, some interviewees from overseas (and especially outside major conurbations) lamented the lack of multi service providers to meet their needs. One client noted: Actually, opportunity is the biggest factor here. I have a provider able to provide the solution that drives this largely, and were my contractor not providing this solution, we wouldn’t have adopted it. Head of Security, Bank Security providers were one-trick ponies, just [offering] guards or cameras or intrusion alarms. [Now] more and more companies are becoming a bit of a supermarket, they are moving from [being a] specialism to [a] master of [all] trades. So it makes sense: one source for all or most of services required. Security Advisor, Energy Provider Bundling was rarely argued to provide a better quality of security delivery than single service, however, suggestions that quality would be sub-standard in a bundle were refuted; proponents of bundling argued that a good procurement process and effective management can ensure that the quality of service provision is maintained. It was also noted that bundling could facilitate the standardization of processes which improved efficiency and helped to ensure consistently high quality delivery. The Case for Providing Security Single Service A major reason why single service was advocated was because it was viewed as a ‘best in class’ service. This was enabled by security being provided by a specialist security
  23. 23. Journal of Physical Security 8(2), 1-14 (2015) 7 company and by the service, often the management, not being ‘diluted’ by the engagement of non-security specialists. Some corporate security managers felt that by first outsourcing and then by placing a Facilities Manager in charge of a company they lost direct control of security operations. This was not always the case; it in part depended on how it was structured and the skill sets of the facilities manager’s point of contact. Some corporate security people saw advantages in security being accountable to operational business units rather than them personally, but for many, the distancing of oversight was viewed as a further dilution of security expertise. Some typical comments on this issue from both buyers and suppliers included: I have to say that from a security operational perspective … I see potential for compromise on security delivery and degradation of security … The drive for incorporated FM into a single contract is due to cost, not security efficiency. Head of Security, Telecommunications I was trying to raise security standards but in an FM bundle there is no focus on one service—jack of all trades—you don’t get the buy-in on what you are trying to achieve. I think things have moved on—some reputable companies have been bought out by FM and try to keep (the) specialism but you see them start to be eroded by the FM. Head of Security, Finance Company Security is a specialist business and it needs a security expert and if you don’t value security as a specialist skill, then you won’t value us as a security expert. Chief Executive, Security Company (security only) A FM manager has a different outlook, so his priority is almost certainly not security. Plus that manager may not have security experience first hand so may not have a good idea of risk management. Regional Security Director, Manufacturer A second reason why some said they preferred single service was because it led to management efficiencies. Some saw managing the link between security and other facility management services, not least where it involved anything approaching integration, as a complex one. Some suppliers noted that finding good partners was often a challenge, and finding staff that could multi skill (or wanted to) was a challenge. One supplier manager felt that the opportunity to manage a multi skill team had enabled him to develop personally and provided a welcome career fillip, but felt that many others would not feel the same. Moreover, it sometimes meant a dilution of services, as staff were asked to take on additional duties or be deployed in ways that rendered security less of a priority and, at least, involved less focus on security related tasks. In a different way, management of single service was seen to be easier in general because there was a longer tradition of this type of delivery and specifically because there was a direct relationship between the corporate security manager and the security supplier. Some lamented that with suppliers
  24. 24. Journal of Physical Security 8(2), 1-14 (2015) 8 of multi services, there was a tendency to subcontract some services, and there was always the danger that this might result in a poorer quality service especially if they were focused more on costs than quality, and subcontracting the service area in question was not their specialist expertise. Furthermore, some were against employing one company to undertake a variety of roles, and that was because it entailed ‘putting all your eggs in one basket’; in short, this amounted to poor risk management. Finally on this issue, some clients admitted that they were not geared up for anything other than single service, and some suppliers in order to promote their security expertise, were keen to steer clear of any type of service that was not their specialism and in which they were not experts: We use different suppliers for guards, and the contractor who does systems is different contractor and different again for fire. We go with the experts, rather than find a one company fits all. Senior Manager, Facilities, Medical Systems Company There are merits for buying security alongside waste, cleaning, but we had separate companies. The risk of one company doing it all, is that they generally try to subcontract and so you don’t know what you get. But it is cheaper. Specialists really know more about the topic. Operations Services Manager, Blood Service A third reason why some buyers and suppliers stated they preferred single service over bundling was because it was more cost effective. They were rarely referring to the price paid here, more in relation to the risks involved in leaving security to a non-specialist company, or overseen by non-security experts noting that the consequences of a security failure can cause unlimited reputational damage and result in lasting and even devastating consequences for the client. It was noted that security experts are better placed to monitor the changing risk landscape and keep abreast of new measures and different ways of working as they evolve. Single service suppliers in particular also noted that cost savings that are perceived to come with bundling could in fact often be achieved by looking at security holistically and relating mitigation measures to risk, and looking imaginatively or innovatively at the use of people and technology. Some argued that this not only avoided a dilution of security, it also afforded an opportunity for clients to make cost savings and suppliers to protect margins: There is a perception that bundled brings huge cost benefits, because it takes away the inefficiencies of multiple managers, sharing back office resources, economy of scale etc. This is a misconception because on larger contracts, if the customer works with you, you … can save cost on single if provider works innovatively with customers. MD, Security Company The points that those favoring single service made was that it protected the organization from a dilution of expertise, and suppliers especially promoted the case that if done so imaginatively could be achieved cost effectively and generated management efficiencies.
  25. 25. Journal of Physical Security 8(2), 1-14 (2015) 9 Suppliers in particular felt the benefits of co-operation implicit in bundling can also be achieved by ‘partnerships’ and ‘joint working arrangements’ without diluting expertise. The point is more important than saving jobs; it was argued that both the status and the effectiveness of security in organizations is enhanced where there is a security specialist or expert on both the buyer and supplier side. Determining the Strategy and Whether it Works While it has long been recognized that there can be a variety of influences on strategy (see, Burdon and Bhalla, 2005), in this study, 7 key factors emerged as important. First was the policy of the organization towards outsourcing, and whether there was a well developed strategy that guided policy (see, Nordin, 2006). Some companies had a way of providing services dictated or directed from the center, and this meant there was a reference point for how things should be done, although it seems that most often, even where a strategy/policy did exist, it was flexible (at least as far as security was concerned). Second, some clients recognized that they were only geared-up for single service, and others felt they had developed sufficiently to bundle security. The skill sets of the client are crucial. A third factor was the skill sets of the suppliers and, as noted above, some clients were led towards bundling (both of security and with facilities management) by the competence of suppliers, and some refrained from heading this way because of what they saw as the lack of availability of services to meet their needs in the market. Others had tried bundling and stopped because the service levels were short of their requirements. Where there was a single point of contact—a key benefit of bundling—the competence of that contact could characterize how it was perceived. It is important to note that there are a range of features that combine to make bundling work, including the ability to multi skill or integrate, the ability to find staff including managers who can multi skill and keep them, and to structure the business so that internal competition does not undermine collaboration. A fourth key factor was the status of the head of the security function, and not least his or her relative status to that of the head of facilities management and procurement. Where security was of a lower status to facilities management, it would often (but not always) reflect an emphasis on bundling compared to single service in outsourcing arrangements. The role of procurement was generally seen to have a major impact, and where procurement was seen to be of a higher status, which is not unusual (Gill and Howell, 2012) then that could lead to a greater emphasis on cost rather than quality. A fifth factor, somewhat following on from this, is the importance of security to the organization. There was a tendency for security to be provided as a single service where it was crucial to the organization, perhaps because of regulatory requirements or because of persistent or serious threats. A sixth factor was the role of security within an organization. Some suppliers, who favored single service noted that they did not see bundling as a problem where there was some form of accountability to, or second best, engagement with a security specialist in the client organization. Many suppliers and some security experts felt the quality of security was diluted where there was a break in the link between internal security and security contractor. A seventh and final point, was the nature of the contract
  26. 26. Journal of Physical Security 8(2), 1-14 (2015) 10 and whether the focus was primarily on delivering an excellent service or on reducing costs to the maximum extent. The findings revealed a clear tendency for corporate security directors to favor single service and facilities managers to favor bundling. On the supplier side, specialist security companies generally favored single service and facility management companies bundling. Although this was to be expected, it was not a hard and fast rule. Similarly, there was a tendency for clients and suppliers to highlight different features. So while clients said they favored bundling because of cost savings, efficiencies in delivery, the growing competence of the market, and the opportunity for standardization across sites, suppliers focussed on cost savings, followed by innovation, the benefits of multi skilling staff, and the opportunities for technology. This evidence would suggest that there was more to be done to bring clients’ attention to potential benefits. With regards to single service, clients highlighted the value of security as a specialism which should not be diluted, the greater ease and experience of managing single service (in providing a more efficient form of management and a less risky one), and in saving costs in terms of incurring less risk. Suppliers largely agreed, also noting that a focus on security as a specialism additionally protected internal jobs. Discussion Security is but one element of facilities management. When asked whether security was different in any way to other services, answers reflected the relative importance of security to the organization. Some felt it was just the same. Where it was different, it was noted that it was regulated (in some countries at least), was a 24-hour requirement (in some cases), and that if it went wrong, it could lead to catastrophe. Others noted that security staff not turning up for work would be less noticed by staff than caterers not providing food, or the air conditioning or company server not working; in short, it varied. And security covers a wide variety of activities. On the technology side, integration is less intellectually problematic to understand (although in practice it is far from commonplace), but the integration of people represents a real challenge, which only some claim was managed effectively. Certainly the arguments presented in favor of single service, principally that it is best in class, are being challenged by those facilities management providers who believe that multi skilling and integrated services offers a better form of security. On the other hand, the claims of supporters of bundling that it is more cost effective is challenged by single providers who argue the real costs of increased risks and the opportunity for more efficient ways of working offer an alternative perspective. The inclusion of different types of security services in bundling arrangements is not new, but it has received relatively little attention. Although some interviewees claimed that they had noticed a trend towards more bundling over single service, the research approach taken meant that this needs to be substantiated by future studies. However, if it is true, it raises the question as to whether this reflects a structural change in the way services are delivered or is more cyclical and a reflection of the current priorities clients are attaching to cost over risk in choosing how
  27. 27. Journal of Physical Security 8(2), 1-14 (2015) 11 security is provided. The evidence from this study highlights the lack of a common language to describe outsourcing arrangements, and the paucity of evidence to support arguments for and against different options; there has been little independent evaluation of the claims being made. The aim of the research was not to develop a fact-based model to guide decision-making, a laudable aim though that would be. Hopefully this study has provided a more informed foundation for assessing the implications and potential effectiveness of different models of security service delivery. The benefits and drawbacks of different service options seem finely balanced and need to be better understood if organizations and suppliers are to combine to provide the most effective security. References Agndal, H. and Nordin, F. (2009) ‘Consequences of outsourcing for organizational capabilities: Some experiences from best practice’, Benchmarking: An International Journal, Vol. 16:3, pp. 316-334. British Institute of Facilities Management (2007) The Good Practice Guide to FM Procurement, Redactive Publishing Limited. British Institute of Facilities Management (2012) FM Categories (http://www.bifm.org.uk/bifm/knowledge/resources/Categories). BSIA (2007) A Guide to Integrated Security Management Systems, BSIA. Burdon, S. and Bhalla, A. (2005) ‘Lessons from the Untold Success story: Outsourcing Engineering and Facilities Management’, European Management Journal, Vol. 10:5, pp. 576- 582. De Toni, A.F. and Nonino, F. (2009) ‘The Facility Management: Non Core Services Definitions and Taxonomy’, in De Toni A.F., Ferri A., Montagner M., Open Facility Management: a New Paradigm for Outsourced Service Management, pp. 3-28, MILANO: IFMA. Drion, B., Melissen, F. and Wood, R. (2012) ‘Facilities Management: Lost or Regained?’, Facilities, Vol. 30:5/6, pp. 254–261. Feeny, D., Lacity, M., and Willcocks, L. (2005) ‘Taking the Measure of Outsourcing Providers’, MIT Sloan Management Review, Vol. 46:3, pp. 41-48. Gill, M. (ed) (2014) The Handbook of Security: Second Edition, Basingstoke: Palgrave. Gill, M. and Howell, C. (2012) The Security Sector in Perspective. Leicester: Perpetuity Research.
  28. 28. Journal of Physical Security 8(2), 1-14 (2015) 12 Hassanain, M. and Al-Saadi, S. (2005) ‘A Framework Model for Outsourcing Asset Management Services’, Facilities, Vol. 23:1/2, pp. 73-81. Hunt, S. (2010) Convergence: The Semantics Trap, Online article: CSO Online (available at: http://www.csoonline.com/article/560063/convergence-the-semantics-trap) Interserve and Sheffield Hallam University (2012) The Changing Shape of Facilities Management Procurement, Interserve. (available at: http://www.interserve.com/docs/default-source/Document- List/sectors/commercial/the-changing-shape-of-facilities-management-procurement- march-2012.pdf?sfvrsn=10) Jain, R.K., and Natarajan, R. (2011) ‘Factors influencing the outsourcing decisions: a study of the banking sector in India’, Strategic Outsourcing: An International Journal, Vol. 4:3, pp. 294-322. McIvor, R. (2005) The Outsourcing Process: Strategies for Evaluation and Management, Cambridge: Cambridge University Press. McIvor, R. (2008) ‘What is the Right Outsourcing Strategy for your Process?’, European management Journal, Vol. 26, pp. 24-34. Momme, J. and Hvolby, H-H. (2002) ‘An outsourcing framework: action research in the heavy industry sector’, European Journal of Purchasing and Supply Management, Vol. 8:4, pp. 185-96. Nordin, F. (2006) ‘Outsourcing services in turbulent contexts: lessons from a multinational systems provider’, Leadership and Organization Development Journal, Vol. 27:4, pp. 296- 315. Oshri, I., Kotlarsky, J., & Willcocks, L. (2011) The Handbook of Global Outsourcing and Offshoring: Second Edition, Hampshire: Palgrave Macmillan. Petry-Eberle, A. and Bieg, M. (2009) ‘Outsourcing information Services’, Library Hi Tech, Vol. 27:4, pp. 602-609. Prenzler, T. and Sarre, R. (2012) ‘Public-Private Crime Prevention Partnerships’, in Prenzler, T. (ed) (2012) Private Security in Practice: Challenges and Achievements, Basingstoke: Palgrave. Shekar, S. (2008) ‘Benchmarking knowledge gaps through role simulations for assessing outsourcing viability’, Benchmarking: An International Journal, Vol. 15:3, pp. 225-41. Varadarajan, R. (2009) ‘Outsourcing: Think more Expansively’, Journal of Business Research, Vol. 62:11, pp. 1165-1172.
  29. 29. Journal of Physical Security 8(2), 1-14 (2015) 13 Whitaker, J., Mithas, S. and Krishnan, M. (2010) ‘Organizational Learning and Capabilities for Onshore and Offshore Business Process Outsourcing’, Journal of Management Information Systems, Vol. 27:3, pp. 11–42. Willcocks, L. Cullen, S., Lacity, M. (2007) The Outsourcing Enterprise: The CEO’s Guide to Selecting Effective Suppliers. Logica in association with the LSE Information Systems and Innovation Group. pp. 10. Willcocks, L. & Lacity, M. (2009) The Practice of Outsourcing: from IT to BPO and Offshoring, Palgrave: London. Willcocks L, Oshri, I & Hindle J (2009) To Bundle or not to Bundle? Effective Decision-making for Business and IT Services, Accenture. Willcocks, L., Oshri, I., & Hindle, J. (2009b) Client’s Propensity to buy Bundled IT Outsourcing Services, White Paper for Accenture. Willcocks, L and Lacity, M. (2011) ‘What Suppliers would tell you if they Could’, Outsourcing, Issue 6, Autumn. pp. 6-14. Willcocks, L and Lacity, M. (2012) ‘What Suppliers would tell you if they Could 2’, Outsourcing, Issue 8, Spring. pp. 28-34. Willison, J., Kloet, F., & Sembhi, S. (2012) Security Convergence and FMs: the Learning Curve, Online article: Ifsec Global (available at: http://www.ifsecglobal.com/security-convergence-and-fms-the-learning-curve/) Yam, T. (2012) ‘Economic Perspective on Outsourcing of Property Management Services’, Property Management, Vol. 30:4, pp. 318-332. Yang, C. and Wei, H. (2013) ‘The Effect of Supply Chain Security Management on Security Performance in Container Shipping Operations’, Supply Chain Management: An International Journal, Vol. 18:1, pp. 74–85. About the Authors Professor Martin Gill is a criminologist and Director of Perpetuity Research which started life as a spin-out company from the University of Leicester. He holds honorary/visiting Chairs at the Universities of Leicester and London. Martin has been actively involved in a range of studies relating to different aspects of business crime, including the causes of false burglar alarms, why fraudsters steal, the effectiveness of CCTV, the victims of identity fraud, how companies protect their brand image, the generators of illicit markets and stolen goods, to name but a few. Martin has been extensively involved with evaluation research and with the offender’s perspective, looking at how they target certain people and premises and aim to circumvent security measures. He has published 14 books including
  30. 30. Journal of Physical Security 8(2), 1-14 (2015) 14 the second edition of the 'Handbook' of Security' which was published in July 2014. Martin Gill is a Fellow of The Security Institute, as well as a member of the Company of Security Professionals (and a Freeman of the City of London). He is a member of both the ASIS International Research Council and the Academic and Training Programs Committee and a Trustee of the ASIS Foundation. In 2002 the ASIS Security Foundation made a ‘citation for distinguished service’ in ‘recognition of his significant contribution to the security profession’. In 2009 he was one of the country’s top 5 most quoted criminologists. In 2010 he was recognised by the BSIA with a special award for ‘outstanding service to the security sector’. In 2015 IFSEC placed him in the top 10 most influential fire and security experts in the world. Charlotte Howell is Research Manager at Perpetuity Research. She has conducted a wide range of projects on crime and security including consulting with offenders, victims, security professionals and the police. Charlotte also manages the running of the Secured Environments accreditation—a police accreditation run by Perpetuity Research on behalf of the Association of Chief Police Officers. Charlotte holds a first class LLB (Hons) in Law and an MSc in Criminology.
  31. 31. Journal of Physical Security 8(2), 15-36 (2015) 15 How Social Media is Transforming Crisis Management and Business Continuity Gerald D. Curry, James J. Leflar, Marc Glasser, Rachelle Loyear, Briane Grey, Tim Jordan, Leonard Ong, Werner Preining, and Jose Miguel Sobron* ASIS International Crisis Management and Business Continuity Council Key Words- Social media, emergency operations, crisis management, emergency management, disaster Terminology- Social Media: an aggregate term for networking sites, messaging sites, texting, and other web-based or mobile technologies that support social interaction. Examples include Facebook, YouTube, Twitter, Instagram, Google+, LinkedIn, Plus, Tumblr, email, etc. Emergency Operations: this term was selected to encompass the many similar terms such as emergency management, crisis management, business continuity, disaster management, disaster recovery, and emergency planning. The differences between these terms is often discipline- or industry-driven, but the differences do not justify using all of the terms when describing emergency operations. Emergency operations are the managerial functions charged with creating the framework that helps organizations, communities, and individuals reduce vulnerability to hazards, and cope with disasters. ___________________________ * All of the authors are active members of the ASIS International Crisis Management and Business Continuity Council. This study, conducted as a Committee project of the Council, was unfunded and is free of any known conflicts of interest. The American Society for Industrial Security (ASIS) International is a prominent professional security organization with Chapters and Councils. The Crisis Management and Business Continuity Council promotes crisis management, business continuity, and organizational resilience standards and best practices worldwide. More information about ASIS International is available at https://www.asisonline.org/Pages/default.aspx. Author affiliations: Gerald D. Curry, DM, Environmental Management Office, Safeguarding and Security, Department of Energy. James J. Leflar, Jr., MA, CPP, CBCP, MBCI, Senior Physical Security Consultant, Zantech IT Services. Marc Glasser, MS, CPP, Managing Director, Resilience Management LLC. Rachelle Loyear, MBCP, MBCI, PMP, Enterprise Director, Business Continuity Management, Time Warner Cable. Briane M. Grey, Senior Vice President, Director of Corporate Security, City National Bank. Tim Jordan, B.A., AMBCI, Senior Consultant, Automation Consulting Group, GmbH. Leonard Ong, CPP, ASIS International Information Technology Security Council. Werner Preining, CPP, ASIS International, Chapter Chairman, Austria Chapter 107. Jose Miguel Sobron, Department of Safety and Security, United Nations.
  32. 32. Journal of Physical Security 8(2), 15-36 (2015) 16 Abstract The purpose of this paper is to investigate social media usage in crisis management planning, response, and recovery activities. Social media usage during an emergency event to gather immediate information has been demonstrated as an alternative when traditional forms of communication have been less effective. Most of the messages transmitted using (or through) social media are from non-traditional media sources, and the medium has become an expected source for traditional news agencies, as every cellular smart device user in the world has the potential to be an information broadcaster. This research survey explores the role social media is having on crisis management for security professionals. Survey participants consisted primarily of ASIS International members. Introduction Social media is being leveraged across global disciplines or industries, and according to an overwhelming majority of ASIS International security professionals who participated in this study, an established practice has been laid in emergency operation planning. The purpose of this paper is to explore and report the varying means by which social media is being used by practicing professionals for generating alert messages, confirming personnel and other asset accountability, and keeping key stakeholders—including the general public—informed on crisis events. This study uses a mixed methods (quantitative and qualitative) research design to analyze the survey results. The qualitative section of this paper identifies thematic topics that point to the depth of social media frequency and the quality of its use. Several questions were asked of 154 participants who confirm their acceptance of this tool as an information channel. Additionally, the survey addresses the future of how social media will be used to help security professionals achieve their protective responsibilities. This paper uses a traditional research model and format in discussing the highlights of the survey. The qualitative section sets the foundation for this paper, as the survey participants help the reader to better understand the reasons and rational of “how” and “why” social media is being incorporated into emergency management, including preparedness and mitigation planning. The data collected are rich in critical information for discovering new social media techniques as it pertains to contingency operation planning, and for determining the depth to which social media is currently being utilized. The qualitative research methodology offers the opportunity to review the data from a shared perspective, by reducing limits and potential research barriers. We did not develop a particular theory, but rather offer security-practitioner perspectives on how social media is being utilized in emergency management. Additionally, the results will reveal how social media is being used throughout the emergency operations industry by expediting alert messaging. This study offers new insights on the tremendous possibilities for the use of social media platforms in emergency management.
  33. 33. Journal of Physical Security 8(2), 15-36 (2015) 17 The quantitative section of this paper summarizes the depth of this study by reviewing the strength of social media’s application in real world scenarios. However, it was not enough to gather data on whether or not social media is saving lives. Also needed was an examination of how is it being used, and at what frequency. These questions were all important, and helped to direct the research to a stronger, more applicable conclusion. The sample size for this research was 154 participants. The majority of participants were ASIS International members. This study provides an in-depth description of the social media domain within the dealings of these security professionals. This study leverages quantitative methods to determine statistical results and qualitative research to explore social media’s usage, in hopes of developing a comprehensive understanding. We hope this study will serve to inspire future studies on this subject. Our study divided the analysis of questions into qualitative and quantitative in order to explore the full spectrum of inquiry. Social media has received significant societal attention. Social media has also completely changed the way people engage one another and. more importantly, how businesses connect with potential clients and customers. Social media has become the one common denominator that the world’s citizens understand and use on a daily basis. The preferred online applications may change from country to country, but the basics of being able to reach mass numbers of people quickly has been accomplished through social media. Purpose of the Study The purpose of this study was to document established ASIS International security professionals’ social media processes, identify frequency of social media use, and help provide a global perspective to improve contingency operations. Additional research opportunities are identified later in this paper; these will lay the foundation for security professionals to identify and potentially benefit from further social media benefits applicable to security professionals worldwide. Social media has rapidly become a societal norm (Kaplan, 2012), and it is important for security professionals to assess its use. The Department of Homeland Security’s Federal Emergency Management Agency (FEMA) reports that, “Social media is a new technology that not only allows for another channel of broadcasting messages to the public, but also allows for two way communication between emergency managers and major stakeholder groups.” (FEMA, 2015, paragraph 1). The social media technology is still considered to be in its infancy and thus requires dedicated exploratory research. This study examines the utility of social media in emergency management by security professionals, so industry leaders can predict its current and long-term applicability. Often, new technology comes and disappears just as quickly as it arrives. Social media seems to be significantly different; this study concludes that many security professionals around the world are using some aspect of social media for emergency notification, keeping
  34. 34. Journal of Physical Security 8(2), 15-36 (2015) 18 stakeholders engaged, and making critical documents more accessible. Our study aims to expand the conversation on social media being used in emergency management. Literature Review There is an enormous amount of literature on social media and its increased utilization in emergency management. This study leveraged the closest and most relevant resources to expand the narrative pertaining to this important topic. The survey was used to better understand and identify the professional pervasiveness of the platform, assess if the tools are embedded in current policy, and explore future possible applications of social media. The literature used in this study aims to better understand these three tenets, and confirm the research results. Kaplan (2012) offers an overview in his “Social Media In Emergency Management: A Quick Look,” and suggests social media can be used as a means for public service announcements, a dependable resource for information for emergency responders, and can provide immediate feedback for all stakeholders through its crowdsourcing capabilities. Additionally, Kaplan (2012) validates the fact that social media has quickly become the subject of vigorous academic and professional studies. In fact, FEMA Administrator Craig Fugate uses his Twitter application to converse with industry professionals and the general public. Su, Wardell, & Thorkildsen (2013, page 1) in their work simply titled, “Social Media in the Emergency Management Field, 2012 Survey Results,” announces that “…76% of adults responding to a 2012 American Red Cross survey expected help to arrive in less than three hours if they post an emergency-related request on social media.” The study solidifies the fact the public has a psychological expectation that once they post an emergency message in social media, the official authorities will acknowledge it and respond appropriately. Su, et al. (2013) shares the finding that social media has created an expected demand by the public, and an additional platform for emergency management professionals. One critical question this survey asks is, “How knowledgeable are emergency management agencies regarding social media?” In Su, et al. (2013, page 2) the researchers do not stop there however; they continue to examine the issue by identifying the governance, technology, data/analytics, and processes that must be used to fully embrace social media. DHS (2012) uses their “Next Steps: Social Media for Emergency Response, Virtual Social Media Working Group and DHS First Responders Group,” to navigate the future of social media in emergency management. The DHS report recognizes that many United States government officials are turning to social media technologies to share information and connect with citizens during all phases of a crisis. In response to the global attention social media has drawn, the U.S. Department of Homeland Security’s Science and Technology Directorate (DHS S&T) has established working groups to provide guidance and suggest best practices for emergency preparedness and the response community. The DHS study concludes by highlighting six steps DHS needs to focus on: (1) Choosing the right
  35. 35. Journal of Physical Security 8(2), 15-36 (2015) 19 technology and application; (2) Developing strategy, policy, and procedures; (3) Setting and managing expectations; (4) Engaging the community; (5) Managing misinformation; and (6) Addressing challenges to adoption, including concerns related to privacy, public comment, record retention, public disclosure, health information, human resources, information technology, and security. The USDE/REMS (2013) presentation accurately sums up the progress made to protect school children and teachers. The presentation provides an understanding of the benefits and challenges associated with employing social media in school crises. It builds on the traditional four phases of emergency management: prevention-mitigation, preparedness, response, and recovery. The presentation notes that in the aftermath of the Columbine High School shooting, and other horrific events that have occurred, social media use is gaining traction. The presentation confirms that 96% of young adults ages 18-29 own a smart device of some kind, and 73% of online teens (age 12-17) use social networking sites. The report highlights the fact that teens from lower income families are more likely to use online social networks (4 in 5). Lindsay (2011) starts his discussion by confirming that social media is playing an increasing role in emergencies and disasters. His report cites research from Information Systems for Crisis Response and Management (ISCRAM) and the Humanitarian Free and Open Source Software (FOSS) Project, both groups that are exploring related linkages. The author shows how social media is being used in one of two ways: first, to disseminate information and receive feedback, and second, as a systematic tool to conduct emergency communications, such as issue warning messages, receive victim requests for assistance, monitor activities, establish situational awareness, and create damage estimates. Social media has created a broad platform for emergency management professionals. Lindsay’s report summarizes how social media is being used by management officials. Hiltz, Kushma, and Plotnick (2014) offer a very unique opportunity of semi-structured interviews of U.S. public sector emergency managers to determine the use, and potential barriers to using, social media. They point out three barriers to social media use, which are (1) a lack of personnel time to work on social media, (2) a lack of policies and guidelines, and (3) concerns about trustworthiness of collected data. While these barriers or challenges are very real, social media usage continues to grow to epic proportions. One significant point Hiltz, Kushma, and Plotnick make is that even with the millions of people who are flocking to social media sites, the government has yet to establish an emergency management platform. Additionally, they cite Kavanaugh (2012) who reported that social media is not being used in a particularly thoughtful or systematic way (Hiltz, Kushma, & Plotnick, 2014, page 602). The Hiltz, Kushma, and Plotnick (2014) study focuses solely on two important questions: (1) what problems or barriers do these managers perceive in terms of using social media, particularly for gathering and acting upon real-time disaster posts in them?; and (2) what is their reaction to several potential types of tools that might enhance their use of social media? This research concludes that the lack of trained personnel is the primary reason the government has not fully embraced social media (Hiltz, Kushma, & Plotnick, 2014). This technology is dependent on
  36. 36. Journal of Physical Security 8(2), 15-36 (2015) 20 professional security managers and leaders who have the technical know-how to enhance operations internally, externally, and with key stakeholders. Methodology The ASIS International Crisis Management and Business Continuity Council (CMBC) developed a 17-question survey and received answers from 154 security professionals from across the globe who occupy security positions in federal, state, local, and private company positions. See the Appendix for the survey questions. The web-based survey was available from July 6 to September 1, 2014, via Survey Monkey. The survey team published the link to CMBC members, who in turn shared the link with ASIS Chapter members and business colleagues who are associated with ASIS International. We believe the survey received a fairly wide distribution within the limited ASIS related population, but there is no indication of the total number of recipients. We estimate at least several hundred recipients, and likely many more. The recipients and participants had some relationship to ASIS International, either as members or as professional colleagues of the research team, but there is no way to know the identities of the participants. The participants were anonymous, and the survey was completely voluntary. Participants were assured that any personal identifying information they provided would be kept confidential, and the final responses would be presented in aggregate form. We cannot make any claims concerning the participant’s representativeness of security professionals within a general population. The participants consisted of 118 ASIS International members and 35 non-members. It should be noted that the 35 non-member participants who engaged in the study are security professionals, just not members of ASIS International. Approximately 91.9% of the participants have been members of ASIS International for over five years, and 100% actively worked in a security or crisis management position as their primary profession. Interestingly, 58.3% held a professional certification such as the Certified Protection Professional (CPP), Certified Business Continuity Professional (CBCP), Master Business Continuity Professional (MBCP), or Certified Emergency Manager (CEM). 59.3% described their profession as security (non-data). This classification of security becomes interestingly important because it is used as an umbrella term, and translated to capture several security disciplines. Almost all participants held some level of college education, 84.2% held a bachelors, masters, or doctorate degree. The qualitative section asked 5 open-ended probing questions to better understand the progress that has been made in emergency operations by adjusting to the society demand for social media. These questions very purposefully explored the depth of each participant’s professional involvement, including their participation in drills and exercises that leveraged social media. As with any survey, some participants failed to answer all questions, so we cannot determine or remark upon their responses to those questions. Several themes were garnered from the written responses that were provided, and these will be discussed in the next section.

×